Proceedings of the 43rd IEEE Conference on Decision and Control, Bahamas, December 2004

On the Statistical Distribution of Processing Times in Network Intrusion Detection





Jo˜ao B. D. Cabrera , Jaykumar Gosar , Wenke Lee and Raman K. Mehra Scientific Systems Company, Inc.

Georgia Institute of Technology

500 West Cummings Park, Suite 3000

College of Computing

Woburn MA 01801 USA

801 Atlantic Drive




Atlanta, GA 30332 USA

Abstract

packet, which is used in the next steps.

Intrusion Detection Systems (IDSs) are relatively complex devices that monitor information systems in search for security violations. Characterizing the service times of network IDSs is a crucial step in improving their real time performance. We analyzed about 41 million packets organized in five data sets of 10 minutes each collected at the entry point of a large production network and processed by Snort, a commonly used IDS. The processing times of the three main stages in Snort were measured. The main conclusions of our study were: (1) Rule checking accounts for about 75% of the total processing time in IDSs, with mean payload checking time being 4.5 times larger than mean header checking time. (2) The distribution of rule checking times is markedly bimodal, a direct consequence of the bimodality in packet composition in current high speed Internet traffic. (3) Header processing times have a small variance and small correlation coefficients. (4) In contrast, the distribution of payload processing times displays high variance, in a form that can be generally characterized as “slightly heavy-tailed”. Explicitly, payload processing times have a Lognormal upper tail, clipped at the top 1%. This extreme  upper tail is better fit by an Exponential distribution. (5) Additionally, payload processing times were shown to be highly correlated, with correlation coefficients several orders of magnitude higher than the confidence bands for the standard whiteness test. The impact of these findings in the design of IDSs for real time operation in networks is discussed, and compared with existing results for processing times for Unix processes, which were shown to display pronounced heavy-tailed characteristics.

Preprocessing: Performs a number of preparatory steps in the packet, such as normalization, IP fragment reassembly, TCP stream reconstruction, etc. 

Rule checking: Checks if the packet contains a particular string, or a collection of strings, which are associated with an intrusion. A rule consists at a minimum of a type of packet to search (protocol type), a string of content to match and a location where that string is to be searched for – [24]. Rule checking in Snort has two (sub)-steps: Non-Content Matching (NCM), performed in the packets’ headers and Content Matching (CM), performed in the packets’ payloads.

Like any computing device operating in real time, the operational performance1 of an IDS depends on the arrival rates of packets streaming at its input, and the service rates it provides to the packets. The two components are equally important in characterizing the performance of the IDS, and their understanding is crucial for the design of more efficient systems. The arrival rates of packets at network IDSs are the arrival rates of packets into the networking device in which it is installed, modulated by traffic shaping, if applicable. Much is known about the statistical properties of arrival rates of packets in the Internet, result of extensive research, especially in the last decade – [7] and references therein. In contrast, very little is known about the statistical properties of service times in network IDSs. The focus of the research on network IDS evaluation has been on measuring the performance metrics as a function of the network load, traffic characteristics (balance between protocol types, presence of fragments, etc.) and complexity of the ruleset – eg. [12], [23]. A recent study - [2] - has measured the processing times of the various components of Snort, but no statistical characterization was attempted. The objective was to construct synthetic workloads out of real traffic, for use in IDS benchmarking. In this paper, we study the statistical properties of

1 Introduction Intrusion Detection Systems (IDSs) are relatively complex devices that monitor information systems in search for security violations - [5], [19]. In network-based IDSs, data packets enter the IDS and are subjected to a number of processing steps whose ultimate objective is to determine if the packet contains an intrusion or not. There are essentially three main steps in network IDSs, such as Snort – [6]: 



Packet decoding: Decodes the header information at the different layers and creates a data structure for the

1 By operational performance we mean the usual metrics of mean service time, percentage of dropped packets, etc.

1

Set No. 1 2 3 4 5

the service times in Snort, which we believe is an essential step in designing more efficient IDSs. Service times for Unix processes were investigated in [16] and [13] leading to new strategies for load balancing and processor design. We expect a similar effect from this current study, in the design of network IDSs.

2 Statistical Distributions of Processing Times Five data sets of about 10 minutes corresponding to 5-12 million packets each were collected using the standard tool tcpdump at the main entry point to the network serving the College of Computing at the Georgia Institute of Technology. The packet streams were then inputed into Snort version 2.0.5, with its standard ruleset of 1458 rules. Especially designed instrumentation tools recorded the following variables for each packet: : Packet size (payload size and header size are recorded separately).

 

: Time spent in preprocessing.

 

: Time spent in Non-Content Matching (NCM) detection.

    

: Time spent in Content Matching (CM) detection. : Time spent in detection – NCM and CM2 .



Protocol type – TCP(http,telnet,  ), ICMP, UDP. 

Alert status – Alert type, if an alert is issued.

The data sets were collected during week days. Some relevant statistics are presented in Table 1. Sets 1 and 2 were collected on the same day. To eliminate outliers caused by measurement errors in data collection, we have repeated the same experiment twice for data set 1, and compared the resulting data records. Entries that were substantially different were deleted, and the same threshold used for deletion in the other data sets. As an example, in data set 1 we have recorded 73 packets with    above 1,000  s. However, the corresponding records for the repeated experiment were substantially lower, indicating that these measurements were outliers. Note that  ,  and   are quite similar for the five data sets. Moreover,   represents about 75% of the overall processing time of each packet, which agrees with the study in [2]. Since   considerably dominates the overall service time, we focus our study on its characterization.





( s) 1.70 1.64 1.68 1.70 1.67





( s) 2.81 2.74 2.98 3.32 3.35





( s) 14.7 13.6 12.7 13.1 13.5

In general terms, HO packets and HP packets constitute two very diverse populations. HP packets account for about 65% of the observed packets.  "

for HP packets are typically 5.5 times larger than B for HO packets. This is explained by the fact that HO packets are not subjected to CM processing.

 

for HP packets tend to be larger, a result of the packet size.  for HO packets are larger, an item whose explanation is under investigation.

2.2 Bimodality and dependence on packet composition 

The bulk of the alerts – 60%-80% across the five datasets – occurs in HP packets, but the alert rate per packet is roughly 0.15% for both HP and HO packets, with wide variations across the five data sets. 

The results in table 3 are particularly significant.    and C   vary very little across the five data sets, HO

"$#&%('

Figure 1-(a) depicts the histogram of ! for data set 1, which clearly indicates bimodality on the distribution of " . Figure 1-(b) depicts the histogram of  , which also displays bimodality. Similar results were verified for 2 Clearly,



the other four data sets in reference to bimodality in   and  . To investigate the possible relationship between bimodality in  with bimodality in   , we plotted a scatter plot of   #6%('798: 5+  in Figure 1-(c). It clearly shows a monotonic relationship, with large packets producing large processing times. In quantitative terms, the correlation coefficient between 5++ "$#;%t)

6

4

−4

10

2 −5

10 0

0

0.5

1

1.5 2 2.5 Processing time (log10(Td+1))

/ (a) Histogram of êMëì vÊ í ¸Ã ) *

3

3.5

4 −6

¿

10

Æ (î s).

−7

10

0

1

10

10

2

CM processing time (Td )

3

10

10

2

6

x 10

2.5

(a) CCDF plots for the five data sets.

2

250

Set 1 Set 2 Set 3 Set 4 Set 5

1.5

200

d

0.5

2

− t | T > t)

1

0

0

200

400

600

800 1000 Packet size (P)

(b) Histogram of ï

1200

1400

1600

CME (t) = E (T

d

2

150

1800

100

(bytes). 50

0

0

100

200

300 400 500 CM processing time (Td )

600

700

800

2

(b) ÀÁ"Â

plots for the five data sets.

1 0.8

P(T

d

2

≤ t)

0.6

/ (c) êMëì Êví Ãð) *

¿

0.4

Æñò 1 ï .

CUT sample Pareto fit Exponential fit Lognormal fit

0.2 0 20

1

30

40

50

60

70

80

90

100

0.9

1 0.8

0.6

≤ t)

0.6

0.5

d

2

0.7

P(T

Prob (P ≤ p )

0.8

0.4

0.4

EUT sample Pareto fit Exponential fit Lognormal fit

0.2

0.3

0 100

0.2

200

300

400 T

500

600

700

d

2

0.1 0

0

200

400

600

800 1000 Packet size (p)

(d) CDF of ï

1200

1400

1600

(c) CDF plots: Pareto, Exponential and Lognormal fits in the CUT (top plot – Lognormal is best) and EUT (bottom plot – Exponential is best) regions for data set 1.

1800

(bytes).

Figure 2: Investigating heavy tails in CM processing time.

Figure 1: Bimodality of processing times and packet sizes. 6